Snort mailing list archives

Snort Newbie

From: jzorzi () marketlinksolutions com
Date: Thu, 3 Mar 2005 14:44:18 -0500

Thanx for your response, I have another question now.

How is it possible that snort is monitoring communication between 2 machines
that are on a different subnet then the snort machine.

The machine running snort is on the 192.168.255.0/24 network but in the log
analysis I see these entries
 attacks  from              to                method
=========================================================================
   47     192.168.0.97      192.168.0.103      SNMP request udp   {UDP}
   44     192.168.0.97      192.168.0.103      SNMP public access udp
{UDP}
   44     192.168.0.97      192.168.0.104      SNMP public access udp
{UDP}
   44     192.168.0.97      192.168.0.104      SNMP request udp   {UDP}

My HOME_NET  is setup as follows
var HOME_NET [192.168.255.0/24,192.168.0.0/24,192.168.3.0/24,192.168.4.0/24]

The EXTERNAL_NET was setup as follows (until I received your email) var
EXTERNAL_NET any

Now due to significant changes being applied to the network structure all
the machines are not physically separated via cables and switches but the
ips still need to go through the routers in place.  What I mean is that the
physical network structure is setup to be one complete entity with no vlans,
no physical wire separation.  During this period of change though the ip
subnets still exist.  Which means that there are routers in place to route
the ip traffic appropriately.  The switches aren't configured with any
vlans, no monitoring ports and stp(Spanning Tree Protocol) is turned on for
all switches except for the switch that the snort server resides on.  The
switches are cisco catalyst switches.  The program used to generate the
result set was "snort_stat" retrieved from the snort.org website.

Give this information how is the above result set possible?
Does snort proactively monitor all communication on the network, meaning
does snort monitor traffic that isn't destined for the machine it runs on?

Thanx in advance for your help.  I'm a snort newbie and just trying to
figure out how to configure and understand how snort works. 
 

Jay Zorzi
Systems Administrator, Information Technology

MarketLink Solutions
see further. achieve more.

e - jzorzi () marketlinksolutions com
t - 416.260.2800 x299
f - 416.260.2893 



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SNORT Newbie joel (Feb 13)
- RE: SNORT Newbie Adam Kliarsky (Feb 13)
  - RE: SNORT Newbie Joel Rushworth (Feb 21)
- <Possible follow-ups>
- FW: SNORT Newbie joel (Feb 13)
  - RE: SNORT Newbie Adam Kliarsky (Feb 13)
- RE: SNORT Newbie Western Canada CORSA (Feb 21)
- SNORT Newbie Western Canada CORSA (Feb 21)
- FW: SNORT Newbie Joel Rushworth (Feb 21)
- SNORT Newbie Joel Rushworth (Feb 21)
- Snort Newbie jzorzi (Mar 04)